Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Types of detection analytics

In the ESCU app, detections have the following categories:

Each yaml file for the detection in the security_content Github repository has a field called type. These types drive the workflow on the product:

Type Description Example
TTP Designed to detect a certain adversary tactic, technique, or procedure. Attempted Credential Dump From Registry via Reg exe
Anomaly Triggers on behavior that is not normally observed. Anomalous might not be explicitly malicious but can be suspect. For example, detection of executables that are not run before or a process using the network which does not normally use the network. Add Default User And Password In Registry
Hunting Increases the risk of an asset or entity but tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. 7zip CommandLine To SMB Share Path
Correlation Correlates various detection results to identify a high-level threat and generate a notable. Living Off The Land Detection
Baseline Helps in the maintenance of the analytic or create a baseline of data that detections can leverage. Baseline Of Cloud Instances Launched
Investigation Searches that leverage tokens and are used in the pre-built panels shipped by ESCU for Investigative Workbench in Splunk Enterprise Security. AWS Investigate Security Hub alerts by dest

The following table displays how each type is configured out of the box in the ESCU app.

Analytic type Create notable Create risk and threat objects Triggers playbook Tied to a dashboard Runs on CRON schedule Enabled by default
Hunting No No No Yes No No
TTP Yes Yes Yes No Yes No
Baseline No Yes Yes No Yes No
Anomaly No Yes No No Yes No
Correlation Yes No Yes No Yes Yes
Investigation No No No Yes No No
Last modified on 15 October, 2024
Components of a detection analytic   Status of detection analytics

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters